Conversation
|
Yeah, I think this is too dramatic. Legitimate linking in comments is good! But we could do no links in comments for a week post-signup or something like that to cut down on this vector? |
|
From what I've seen accounts can keep creating comments long after theyve been created as well, so I'm not sure if it's enough. We could add the same condition as showing the global user page maybe: only if you are affiliated with at least one community? I could also use #3521 to find out the ratio of comments from illegitimate accounts with links vs comments of legit users with links? My guess would be that the ratio is something like 1000:1 at least. At that point I'm not sure if we can determine legitimate linking without some spam service checking every new comment. But I might also be going a bit too far here, maybe some spam is acceptable. I'm just feeling a bit "the purpose of the system is what it does" about this when i look at the comments here for instance: https://data-feminism.mitpress.mit.edu/pub/a1ao95xs/release/4?collectionSlug=adaglgld (ironic, using links...) (edit: by which i mean: if 99% of comments use links to spam, isn't it a spam feature rather than a link feature?) i feel a bit icky about having all this spam here! but that's not per se the most productive angle to tackle this from haha, maybe running the script in #3521 once, and giving community admins those flagging tools (stay tuned) is enough |
|
Yeah, we're not going to eliminate all spam. You've put in place tools that should both drastically reduce it going forward and buy us time to help us identify and eliminate past spam, too. Let's at least try letting that work before. POSIWID is a good guide to identifying issues but if, in trying to solve the problems, we allow the descriptive to override the normative, we are ceding our roadmap to spammers. On the specifics: I think we should run the script in #3521. If we have some false positives, that is imo preferable to turning off functionality. |
Knowing little about how spam bots actually work, my instinct says that if a bot can't proceed because of link in the discussion body, it (or the system that manages it) may stop trying that particular spam vector. But at the same time, I've seen bots bypass spam filters with simple formatting/whitespace tricks... so we would need to think about that too. What are the chances that a bot will continue its attempts after a week's worth of failing to comment? And is a heuristic like that on a timer? e.g. do these bot systems eventually "learn" the spam rules of a given platform in order to bypass them? Or are they much simpler? |
hmmm that's a good point yeah. just because they currently just kept on going, doesn't mean they would if there's no immediate reward
I doubt it, maybe now with AI that's a slightly more realistic risk, but I dont think most of the bots are very smart. The primary motivation to run the bot on us vs somewhere else is just a cost vs output thing: if it's very cheap to run a bot to spam a quadrillion comments on our website then they would do that instead of doing something else. If they had to run like a full llm i don't think it would be cost effective because the gains are soooo small i reckon. That's also the primary idea with the captchas: they don't actually check whether you're a human, just slows bots down enough for it to not really be worth it (ideally)
there will for sure be different spam, ive seen some non-link spam comments as well, but the number of those are very small in comparison. |
alright! ill turn this PR into a draft then in case we want to try out a more limited version of this in the future, lets see in a month or so (and close it if not needed)? |
3 participants
Issue(s) Resolved
To be revisited after running #3521
s p a m
What
This PR disables the ability to add links to comments, by removing the Link button from the formatting bar, disabling the Cmd+K shortcut, and disabling the https:// regex.
It also makes it so links in previous comments are now no longer present in the DOM on load: they only appear once you click on them in a popover, where they are escaped.
The latter is maybe a bit dramatic, we could just show the actual link there as well.
Test Plan
Screenshots (if applicable)
Optional
Notes/Context/Gotchas
Supporting Docs